What happens when the CIO gets this message: a possible data breach!

CIOs have five key responsibilities upon learning their hospital or health system is experiencing a data breach, according to Patty Lavely, interim CIO and principal consultant for CIO Consulting and former senior vice president and CIO of Gwinnett Medical Center in Lawrenceville, Ga.

At the Becker's Hospital Review Health IT + Revenue Cycle Conference in Chicago, Ms. Lavely delivered a presentation titled "'Medical Center investigating a possible data breach!' - A CIO's perspective on the other side of the headlines."

Ms. Lavely outlined her experience as a senior vice president and CIO of Gwinnett Medical Center when the hospital experienced a data breach. She received a call on her way to work informing her that documents were coming out of several hospital printers with the words “We own you” and a list of patient names. The incident response included the legal, risk, compliance and technology departments. They contacted outside legal counsel and IT forensic consultants.

"When you get the phone call that the network is down, it's like a kick in the gut," Ms. Lavely said. "It sort of took my breath away when I realized we had a problem."

During a time of crisis, she said, the CIO's role includes the following responsibilities:

Determine immediate risk to system stability

Provide leadership to security incident command

Work with legal, compliance and PR on messaging

Communicate to senior leadership

Lead the IT staff supporting the forensic investigation

The event took place over three weeks, beginning Sept. 27, 2018, when the wireless phone system at one hospital went down and the threatening documents began printing. The health system then had a denial of service attack on a conference room scheduling app, an anonymous call to HHS reporting the breach and an unsuccessful attack on the email system. The FBI arrived at the hospital following the HHS report.

The threat actor also contacted a security publication to report the data breach and described what they were doing to the hospital. The threat actor also posted on Twitter several patient names and other updates about what was happening.

The hospital had the forensic investigation, which occurred over a three month period to help the hospital understand where the compromises occurred and how much PHI was breached. They then investigated requests from the FBI.

"It became obvious after looking at all the information, [the threat actor] was trying to reach us. I don't know what they would have done if we tried to communicate with them," she said. The threat actor focused on known vulnerabilities, specifically medical devices.

Ms. Lavely outlined the hospital's lessons learned:

Practice, practice, practice for security incidents

Biomedical devices are a vulnerability

Physical security should be part of the governance of the cybersecurity plan

CIOs must participate in the cybersecurity program

Board leadership needs to understand the organizational risk

"A real incident is always much different than practice. That goes for any disaster. With all the scenarios you come up with, you can't mimic a real incident, but you can prepare," she said. "I'm very proud of the response of the organization and my team, and I look forward to being able to share part two of this when the FBI finishes their investigation," she added.